Snake Keylogger Steals victim Logins, Clipboard data, Keystrokes, and Capture Screen

Emails are extremely common in today’s digital communication landscape, with billions sent daily for personal, professional, and promotional purposes. 

While most emails are harmless, there is a risk associated with phishing attacks, malware distribution, and spam, making it essential to exercise caution when opening attachments or clicking on links from unknown sources.

EHA

Recently, researchers at Any.run analyzed a sophisticated keylogger that is dubbed “Snake,” which steals victims’ following data:-

  • Logins
  • Clipboard data
  • Keystrokes
  • Capture Screen
Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Snake Keylogger

The Snake Keylogger, a .NET infostealer malware, found in November 2020, also known as 404 Keylogger, steals credentials, keystrokes, and screenshots, collects system info like hostname, IP, and exfiltrates data via FTP, SMTP, and Telegram.

Chosen for analysis, the file “32b4f238-3516-b261-c3ae-0c570d22ee18.eml” revealed its email contents in Windows 11’s Microsoft Outlook.

Email contents
Email contents (Source – Any.run)

The email urges the recipient to download an attachment, referencing a ‘client,’ and uses a Customs Clearing Agency in Bolivia with the BMW logo to exploit familiarity, a social engineering tactic.

Email headers provide vital info for legitimacy analysis, especially SPF and DKIM details. Here, at this point, the SPF failed (sender IP 45[.]227.X.34), “[GREEN].com[.]bo” doesn’t designate it as a permitted sender. Not only that,, there is no DKIM, DMARC, or message signature.

Email’s header shows the SPF, DKIM, and DMARC info
Email’s header shows the SPF, DKIM, and DMARC info (Source – Any.run)

This email, which seems to be from a brokering and insurance firm in Bolivia, looks fake. In addition, it employs social engineering to persuade the receiver by urging attachment downloads.

With this email, the ‘pago 4094.r09’ file contains the ‘pago 4094. exe’ with the Yahoo! Buzz icon, which is linked to QBuzz 2011 copyright.

To test “pago 4094.exe,” fake credentials were intentionally stored in Chrome and Edge by the cyber security analysts to study its credential-stealing actions.

Saving fake Facebook credentials
Saving fake Facebook credentials (Source – Any.run)

After saving fake credentials, executing ‘pago 4094.exe’ makes it vanish, spawning child process ‘C:\Users\admin\Desktop\pago 4094.exe’ and dropping ‘tmpG484.tmp’ in ‘C:\Users\admin\AppData\Local\Temp’ for persistence.

At this point, the Snake Keylogger runs discreetly and silently to gather info, steal credentials, and exfiltrate data without alerting users. However, the email threats also exploit human error, demanding constant vigilance.

Recommendations

Here below we have mentioned all the recommendations:-

  • Zero Trust Security
  • Employee Training
  • Endpoint Security
  • Email Security Solutions
  • Multi-Factor Authentication

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.